Quantum circuit for security proof of quantum key distribution without encryption of 

error syndrome and noisy processing 



o 

(N 

G 
3 



Kiyoshi Tamaki 1, {3 and Go Kato 3 
1 NTT Basic Research Laboratories, NTT Corporation, 
3-1 ,Morinosato Wakamiya Atsugi-Shi, Kanagawa, 243-0198, Japan 
2 CREST, JST Agency, 4-1-8 Honcho, Kawaguchi, Saitama, 332-0012, Japan 
3 NTT Communication Science Laboratories, NTT Corporation 
3-1 ,Morinosato Wakamiya Atsugi-Shi, Kanagawa, 243-0198, Japan 

One of the simplest security proofs of quantum key distribution is based on the so-called comple- 
mentarity scenario, which involves the complementarity control of an actual protocol and a virtual 
protocol [M. Koashi, e-print arXiv:0704.3661 (2007)]. The existing virtual protocol has a limitation 
in classical postprocessing, i.e., the syndrome for the error-correction step has to be encrypted. In 
this paper, we remove this limitation by constructing a quantum circuit for the virtual protocol. 
Moreover, our circuit with a shield system gives an intuitive proof of why adding noise to the sifted 
key increases the bit error rate threshold in the general case in which one of the parties does not 
possess a qubit. Thus, our circuit bridges the simple proof and the use of wider classes of classical 
postprocessing. 
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I. INTRODUCTION 

Quantum key distribution (QKD) is one of the most 
attractive research areas in quantum information theory, 
which has practical applications, and it has been inten- 
sively investigated both experimentally and theoretically. 
So far, many experiments of QKD have been reported 
(see, for instance, [l|), and some of them have demon- 
strated the actual distillation of the secret key 0. Since 
very hard work is needed for the actual implementation 
of QKD, it would be good from an experimental view- 
point if we could implement QKD with easier setups and 
easier classical postprocessing parts. 

From the theoretical point of view, it is very important 
and interesting to consider a security proof in a simple 
manner. One of the simplest approaches is to consider 
a complementarity control of an actual protocol and a 
virtual protocol [3| , which the sender (Alice) and the re- 
ceiver (Bob) can choose to execute, but cannot execute 
simultaneously. In the actual protocol, the goal is to 
agree on the bit values along the computational basis, 
say the Z basis while, in the virtual protocol, Alice and 
Bob collaborate to create an eigenstate of the X basis 
(the conjugate basis of Z) in Alice's side. With these 
protocols, Koashi proved in that the necessary and 
sufficient condition for the secure key distillation is to 
successfully execute these complementary tasks. 

In this security proof, the virtual protocol has to be 
constructed in such a way that an adversary (Eve) can- 
not discriminate it from the actual one, and the existing 
virtual protocol assumes the encryption of the syndrome 
for the error-correction step [|| . Since the classical post- 
processing is very important in QKD, it is interesting 
to consider how to apply the complementarity control to 
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QKD without the encryption, and even with wider classes 
of classical postprocessing. An interesting type of post- 
processing is the so-called noisy processing, which was 
first introduced by Renner, et. al [5j. In this processing, 
by intentionally adding noise to one of the partiesfsifted 
key, the bit error rate threshold increases, and it is in- 
teresting to consider how to explain this processing from 
the viewpoint of the complementarity control. 

In this paper, we remove the encryption by explicitly 
constructing a qubit-based quantum circuit for the vir- 
tual protocol, and we employ our circuit with a shield sys- 
tem to give an intuitive proof of why the noisy processing 
increases the bit error rate threshold. Thus, our circuit 
bridges the simple security proof and the use of wider 
classes of classical postprocessing. One of the features of 
our quantum circuit is that it can output the syndrome, 
apply bit-flip operations, discard any unnecessary qubit, 
and output the secret key simultaneously. Thus, the vir- 
tual protocol with our quantum circuit can be equiva- 
lently converted to the actual protocol, and our circuit 
can accommodate the use of one-way and bi-directional 
error-reconciliation codes. 

Our approach to noisy processing assumes that only 
one of the parties has a qubit. This is one of the advan- 
tages over the original proposal [5] or private state dis- 
tillation approach [6| , where both of the parties have to 
possess a qubit. We note that we can apply our quantum 
circuit to the security proof of protocols, such as BB84 
, six-state protocol 0, H[ , and other protocols where 
the so-called phase error rate in the code qubits can be 
tightly estimated, i.e., Bob can guess Alice's fictitious X- 
basis bit value with arbitrary small failure probability as 
the size of the sifted key increases. 

The organization of this paper is as follows. In Sec. [Til 
we briefly review the security proof based on the com- 
plementarity scenario [H, [To| , and then we construct the 
quantum circuit for a virtual protocol in Koashi's proof 
in Sec. IIII1 Next, we apply our quantum circuit to the 
following cases: (i) Alice has a fictitious qubit in Sec. 
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IIV A[ (ii) both Alice and Bob have fictitious qubits in 
Sec. IIVBI and (iii) noisy processing in Sec. IIV CI Fi- 
nally, we summarize our paper. 



II. REVIEW OF COMPLEMENTARITY 
SCENARIO 

A way to prove the security of QKD is to consider 
a virtual protocol that is equivalent to the actual pro- 
tocol and easy to analyze. Here, by "equivalent" , we 
mean that the resulting secret key is the same between 
two protocols and that all the information available to 
Eve, including classical and quantum information, is the 
same. The former requirement is the equivalence from 
the users' view, and the latter is the one from Eve's view. 
Thus, the security proved in the virtual protocol means 
the security of the actual protocol. One approach along 
this line is to consider a virtual protocol that is based 
on the distillation of the Bell state [ll| - [l3| of the form 
\cj)+) = -±(\0 Z )\0 Z ) + |1.)|1,», which we call a Shor- 
Preskill type of proof. In this approach, the final key is 
generated via Z-basis (spanned by {|0 2 ), |1 2 )}) measure- 
ment, and the high fidelity of the distilled state relative 
to guarantees the security since \<f) + ) is decoupled 
with Eve's system. 

This proof can be seen from a different aspect. Since 
\4> + ) has no probability of having the bit (bit in Z-basis) 
and phase (bit in X-basis: {|0 X ) = (|0 2 ) + |l 2 ))v / 2, |l x ) = 
(|0 2 ) — |1 2 ))a/2}) errors, one may conjecture that if Bob 
can perfectly predict Alice's measurement outcome re- 
gardless of which basis was chosen (of course, these two 
tasks cannot be performed simultaneously), Alice and 
Bob can share the secret key. This is an intuitive idea be- 
hind the complementarity control [Toj . and in Q Koashi 
formally introduced complementarity control of the ac- 
tual protocol and the virtual protocol for the security 
proof. In the actual protocol, Alice and Bob try to share 
the same bit values in Z-basis, and Alice tries to gener- 
ate a A"-basis eigenstate with the help of Bob over the 
quantum channel in the virtual protocol. From the view- 
point of the Shor-Preskill type proof, the former (latter) 
protocol is related with the fact that Bob can guess Al- 
ice's bit value in Z-basis (A"-basis) if Alice and Bob share 
The actual protocol and virtual protocols are ex- 
clusive of each other, and in order to prove the security 
of the actual protocol, we require in the virtual protocol 
that Alice's and Bob's operations must commute with the 
measurement of the final keys, which is called nondisturb- 
ing condition. Then, Koashi proved that the task of the 
secret key distillation is equivalent to the complementar- 
ity control of the two protocols, and the security of the 
final key can be analyzed by the virtual protocol only. 

As an explicit example of the virtual protocol, Koashi 
proposed the virtual protocol with the encryption of the 
syndrome [J] . Since the encryption gives Eve no informa- 
tion, Alice and Bob can behave quite differently between 
the actual and virtual protocols. More precisely, Alice 



and Bob can choose any code, including nonlinear codes, 
for the error-correction in the actual protocol while they 
can perform any non-disturbing operations for Alice to 
prepare the X-basis eigenstate in the virtual protocol. 
This means that we do not need to consider the mea- 
surement of the syndrome in the virtual protocol, which 
makes the security analysis easy but limits classical post- 
processing parts. 



III. OUR CIRCUIT FOR THE VIRTUAL 
PROTOCOL 

In order to remove the assumption of the encryption, 
we propose a quantum circuit that outputs both the syn- 
drome for any linear codes and the required information 
for the distillation of the X-basis eigenstate. Since our 
circuit assumes a possession of qubits, it can be applied 
to any party who has a fictitious qubit state, such as Al- 
ice or a party with the squashing operator 1J| , with the 
detector decoy (l5j . with a photon number resolving de- 
tector, and with other techniques to define a qubit [16$ ■ 
For the explanation, we assume that Alice has the fic- 
titious qubit, and through Alice's Z-basis measurement, 
the sifted key is determined. Moreover, we concentrate 
on the sifted key, and we consider only Alice's side in 
order to show that Alice's key is independent of Eve's 
system. The actual protocol runs as follow. 

Actual protocol: 
(Step 1) Alice conducts measurements on her (n + s) 
qubits, and she is left with (n + s) bits of a sifted key. 

(Step 2) Alice computes s-bit syndrome S z for the 
error-reconciliation protocol to be sent to Bob over a pub- 
lic channel without encryption. Then, depending on the 
error-correction codes and the syndrome from Bob, Alice 
discards appropriate s bits and applies bit-flip operations 
on the remaining n bits. At this point, Alice has an n-bit 
reconciled key n^ec ■ 

(Step 3) Over a public discussion, Alice and Bob agree 
on randomly chosen independent (n — m) n-bit strings 

{Vk}k=i,...,n-m- Alice takes • Vk}k=i,...,n- m as the 



final key fcjj^ . 

Note that Step 3 corresponds to the privacy amplifi- 
cation 20]. In order to prove the security of we 
propose the following virtual protocol (see also Fig. [IJ. 

Virtual protocol: 
(Step lv) Alice prepares the first set of CNOT quantum 
circuits (we call it CNOT (I)) and applies it to her initial 
(n + s) qubits. 

(Step 2v) Alice conducts Z-basis measurements on s 
qubits of the output ports of CNOT(I) to obtain the 
syndrome S Z A ^ [26| and sends it to Bob over a public 
channel without the encryption. She discards the s mea- 
sured qubits, and depending on the syndrome from Bob, 
Alice applies bit-flip operations on some qubits among 
the remaining n qubits. 

(Step 3v) Alice prepares the second set of CNOT quan- 
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Public channel 



FIG. 1: Schematics of our quantum circuit for the Virtual 
protocol, "bit-flip" consists of the identity and the bit-flip 
operation a x , and "Purification" tries to purify the (n — m) 
qubits by using /is and S X A \ 



turn circuits (CNOT(II)), and she applies it to her n 
qubits. Next, Alice generates m-bit syndrome in X-basis 

(A) 

S x by measuring the m qubits of the output port of 
CNOT(II) along X-basis, and after receiving an infor- 
mation fj,B from Bob, Alice obtains (n — m) almost pure 
and direct product qubit states in A-basis. The final key 

(A) 

Kg n is obtained by performing Z-basis measurement on 
the (n — m) qubits. 

Note that CNOT(II) is chosen randomly among the 
set of CNOT circuits with the following property: the 
measurement on particular m output ports in A-basis 

is the same as measuring {X Ut }i=x,2,..m {Ui G F£) of 
the n input ports and the measurement on the remain- 
ing n — m output ports in Z-basis corresponds to the 
privacy amplification in (Step 3) of the Actual protocol, 
i.e., the measurement of {Z Vk } k=i,2, ..n-m (Vk G F£) on 
the n input ports. Here, Z s = Z Xl ® Z X2 <g) • • • <g> Z x ™ 
with Z° = 1 and Z 1 = Z and similar for X. The first 
property of CNOT(II) corresponds to the random hash- 
ing along X-basis [11], and we note that if we make the 
hashing random, then the privacy amplification becomes 
automatically random and vice versa since Ui and Vi are 
always orthogonal [27] . 

In (Step 3v) fig represents Bob's measurement out- 
come on his system, which is not necessarily the system 
of qubits. We assume that /is gives Bob the estimation of 
the n bits of Alice's fictitious A-basis measurement out- 
come with some uncertainty. The uncertainty will be 
removed by Alice's random hashing along A-basis so that 
she can distill a direct product of A-basis eigenstates and 
generate the secret key. Here, note that \xb is not used for 
the later active quantum operation such as a phase-flip 
operation. One of the important points in the Virtual 
protocol is that since Sg and S X A ^ are generated via 
measurements on the different systems, these measure- 
ments commute. Similarly, the final measurement along 

(A) 

Z-basis and the measurement of Sx also commute, and 



the measurement of the final key in the virtual protocol 
is the same as the one of the actual protocol thanks to 
the property of CNOT(II). Hence, the newly introduced 
measurement of S X A ^ does not disturb any measurement 
outcomes in the Actual protocol, and the Virtual protocol 
is not equivalent to the Actual protocol from Eve's view 
with respect to hb and the measurement of S X A \ which 
can be removed without degrading the security as we will 
see. 

For the security proof of the Virtual protocol, we again 
note that since CNOT(II) is chosen randomly and inde- 
pendently, the measurement of serves as a random 
hashing [Tl| along A-basis, hinting that if the number of 
the rounds of the random hashing is properly chosen, Al- 
ice can generate an almost pure and direct product state 
in A-basis. Actually, this is the idea used in the security 
proof in and its sketch of the proof is summarized 
as follows. The proof starts with putting the assump- 
tion that the uncertainty of from Bob's view after 
obtaining \ib is, say n£ bits. More precisely, we make 
the following assumption 

Assumption: There exists a set of n-bit sequences 
with cardinality \T^\ < 2™^ for each (ig> such that the 
pair of measurement outcomes (/is,X^) satisfies X^ G 
T flB except for an exponentially small probability r\. 

By invoking the random hashing argument in [ll| and 
by setting m as slightly larger than n£, we can show 
that (t x \a\t x ) > 1 - r/ where rf = ry + 2~ ne . Here, 1^) 
is the n-qubit A-basis state that Alice thinks to have 
successfully distilled and a is the actually distilled state. 
Note that the exponentially high fidelity guarantees that 

is composably secure [H[ . 
Next, we convert the Virtual protocol to the Actual 

(A) 

protocol, i.e., we remove \xb and S x from the Virtual 
protocol while we keep the final key the same. The im- 
portant point is that we do not use the measurement 

(A) 

outcome of S x and fiB for any of the following active 
quantum manipulations, such as bit-flip operations or 
other quantum evolutions. Moreover, the measurement 

(A) . (A) 

of S x commutes with the measurement of Kg n • Thus, 

(A) 

even if we skip the measurement of S x and sending /i^, 
the final key still remains exactly the same, which ends 
the conversion, and only the fact that Alice could have 
generated the almost pure state is enough to prove the 
security. 



IV. APPLICATIONS OF OUR CIRCUIT 

So far, we have seen that the security can be proven 
by making the Assumption. In what follows, we consider 
three particular cases to see how to confirm Assumption. 
(i) The first case, discussed in Sec. IIV Al is that only 
Alice has the fictitious qubits and the syndrome is sent 
from Alice to Bob or bi-directionally [l9[ . (ii) The second 
case, in Sec. IIVB1 is that both of Alice and Bob have the 
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qubits, and a bi-directional code is used, (iii) Finally, in 
Sec. IIV CI we explain, by using our circuit with a shield 
system, why noisy processing increases the bit error rate 
threshold. This noisy processing was first introduced by 
Renner, et. al [5| and later explained from the viewpoint 
of T-state distillation [6] . 

For the discussion, we assume that thanks to the test 
bits, Alice and Bob know the rate e p of the "phase er- 
rors", i.e., Alice's bit value (Xa), which could have been 
obtained via the fictitious X-basis measurement on the 
(n + s) qubits (code bits) and Bob's prediction (/is) on 
Xa differ. More precisely (20|. for e > 



P(|e p -eW| > e) < 0(n + S )2- (n+s ^ 2 



(1) 



holds, where is the phase error rate of the test bits. 
The important point for all the cases (i)-(iii) is that Al- 
ice can in principle write down the candidate for as 



rp(n) 
fiB,e p 

and 



or the candidate for Xa as T 



(n+s) 



,(*) 



MB,e p 



given hb 



Another point is that CNOT quantum gates, 
if we are only interested in a particular basis, can be ex- 
pressed just as a linear and one-to-one function on the 
binary bit space. For the explanation, let Fcnot(I) as 
the linear and one-to-one function on binary (n + s)-bit 
space, which corresponds to CNOT(I) in X-basis. 

We remark that when one of the parties, say Bob, has 
no fictitious qubit, but Alice has, and they use a bi- 
directional code, we assume that Bob can simultaneously 
output [Lb and the syndrome for the bit errors S. 



(B) 



A. Only Alice has the fictitious qubit 

Thanks to the estimation and Bob's measurement, Al- 
ice can write down the candidate for X^ as T^ n+S ) t) = 

Here, h(x) = — xlogx — 



{As + n) 



i=l,2,...,2 



(1 — x) log(l — x) and {r^} 



i=l,2,...,2 1 ' 



(*) 



(t) represents 

a set of independent (n + s)-bit strings that con- 
tain at most (n + s)(el*' ) + e) Is. From T^ n+S ) t) , 

As,eJ 

we can calculate the candidate for X^ as 

jj-B.e 

{Tr n [F ONOT(I) (p, B +ri)]} ^ ( „ +jWe w +!) , where Ti w 

means that we discard the last s-bit of each (n + s)- 
bit string. Since Fcnot(i) is an one-to-one function, 
|T (n) lt) \ < 2 ( n+s )' l ( e p ) + £ ) holds, following that (n + 

s){h(ep +e)+e') rounds of the random hashing is enough 
for Alice to distill the X-basis eigenstate. Here, e' is a 
small positive number. We note that the key generation 
rate G in the limit of large n can be written as 



G = (n+s)[l-h(eV)]-(s + d), 



(2) 



where, d is the number of bits that Alice discards when 
Alice and Bob use bi-directional codes [13 . Note that the 



security of Bob's key follows from the direct application 
of the complementarity scenario [3[ . 



B. Both parties have the fictitious qubits 

We assume that Bob has the same quantum circuit as 
Alice, and Bob measures the first n qubits of the out- 
put port of CNOT(I) in X-basis, whose outcome is n-bit 
string lib- Like the case in (i), we can write down the 



candidate for X^ as T 



n+s) 



n}. 



«=1,2 2 1 ' 



J ,fe=l,2,...,2 s 



i F CNOT(I)(^B + a k) + 

, where ak is arbitrary 2 s 



(n + s)-bit strings with the first n bits all being zero, and 
(i'b is (n+s)-bit string with the first n bits being the same 
as lib and all the last s bits being zero. Next, in order to 
calculate the required quantity T^ n ' (t) , we apply Alice's 

tJ-B-,e p ' 



CNOT (I) 



to each member of T 



(n+s) 



{/is+Tr^F, 



CNOT(I) 



(n)}}. 



(t ) to obtain T (t) 

MB,e p Ub ,e P 



we have used Fr 



i=l,2,...,2 y 

-l 



(n) 
ub,<= 

2l| . where 
= lib and 



"CAfOT(/)[^ C A r OT(/)(A i B + a k) 

the linearity of Fcnot{i)- Since F CN qt(i) is an one- 
to-one function, \T (n) (t) \ < 2 {n+ ^ h(e p )+e > holds, again 

HB,e p 

following that (n + s)(h(ep^ + e) + e') rounds of the ran- 
dom hashing is enough for Alice to distill the X-basis 
eigenstate. We note that the amount of the privacy am- 
plification is determined by ep , which means that the 
security level of Alice's and Bob's keys are the same. 
Note that the key generation rate G in the limit of large 
n can be written as 



G=(n + s)[l-h(e p V)]-(s + d) 



C. Noisy processing 



(3) 



In noisy processing Q, Alice randomly adds bit er- 
rors to her sifted key with probability < g < 1 A q ^ 
1/2. This process can be alternatively realized first by 

preparing shields in the state |<^>g)f ^™ where \4> q )s = 
^/l — q\0z)s + \/q\^z)s, and then interacting each of them 
with Alice's code qubits via CNOT gate with the shields 
being the control qubit with respect to Z-basis (see also 
Fig. [2]) 6]. The point is that the role of the target qubit 
and the control qubit in CNOT is exchanged according 
to what basis we are working on. Suppose that the state 
of Alice's code bit before the interaction is a classical 
mixture of a pure state, say \^)c — X^ e T(™+ 3 ) a x\eg)c 

PB > e P 

(„ +S ) \a 3 \ 2 = 1) where x = (xt, x 2 , ■ ■ ■ , £C( n +s)) 



SET 



PB < e p 



is a (n + s)-bit string and \eg) is the X-basis eigen- 

*)c into 



(n+s) 



state. Then, the CNOT transforms \<j> q ) 
J2 SeT {n+s) a s{ ZX \4>q)t^ n )\ e d)c, meaning that the in- 

PB < e p 

formation of Alice's code qubit in Jf-basis is trans- 
ferredthe to the shield, and the information is encoded 
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FIG. 2: Schematics of the circuit for noisy processing. A dif- 
ference from the circuit in Fig. [TJ is the shield part whose 



initial state is \cj> q ) , 



(n+s) 



Each code qubit is connected with 



each shield via the CNOT gate, and PGM represents the 
pretty good measurement. 



in two nonorthogonal states \4> q )s and Z\4>q)s- Thus, by 
using the information that can be extracted from mea- 
suring the shield, Alice can reduce the amount of hashing 
along X-basis, which enhances the bit error rate thresh- 
old as well as increases the key generation rate. 

In what follows, we assume that Alice first applies m 
rounds of the random hashing to narrow down the set 



of candidates T, 



(n+s) 



to a smaller set f2 m , and then she 
performs the fictitious measurement on the shield to iden- 
tify the phase error pattern X/i. Moreover, in order for 
Z\4>q)s to represent the phase error between Alice and 
Bob, we apply a phase-flip operation Z^ B to the shield 
before measuring it. For simplicity of this discussion, we 
redefine pb + x as x, pb + ^-a as X^, and {ps + x}g e n m 
as fl m . Furthermore, we define \x) = Z x \(j) q )®^ n+S \ 

What we have to construct is a positive operator valued 
measure (POVM) [2(| which can identify all the members 

in {Z x \(f) q )® }^en m with exponentially small failure 
probability in (n + s). For the construction, we em- 
ploy the idea of the so-called Pretty Good Measurement 
(PGM) US HI- Originally, PGM can discriminate all 
the states in a subset of the set stemming from an Iden- 
tically and Independently Distributed (IID) source, and 
we cannot directly apply this idea to our case where all 
the members in the whole set have to be identified and 
{x} is not stemming from an IID source [23]. However, 

observe that T~ ra+ /' ) is obtained via the classical random 
sampling theorem or other estimation method, and this 
set is very similar to the one stemming from an IID source 
with the phase error rate e p , i.e., in either case the most 
likely bit strings are those containing (n + s)e p Vs. Thus, 

we infer that if T-^f 1 is contained in the typical space of 
the IID source, then we can remove the limitation of the 



IID. Actually, as we will see later, it can be shown that 
this intuition with a generalized analysis of PGM solves 
our problem. 



First, we define p as (1 — ep^)\<f» q ) (<t>< 



where is the phase error rate of the test bit defined 
in Eq. ([1} and assume that p is diagonalized as 

/ 3 = Ao|0)(6| + A 1 |l)(l|. (4) 

We also define a as an (n + s)-bit string with respect 
to the {|0), |1)} basis, and thanks to the Bernoulli trial 
argument, we have for ui > and (n + s) > 24], 

P(||a| - (n + s)Ai| > (n + a)u) < 2 1 ^ n+s ^ 2 , 

(5) 

where |a| represents the Hamming distance of a, and 
we call the space spanned by a set of the {|0), |l)}-basis 
eigenstates with a satisfying | |a| — (n+s)Xi \ < (n + s)u as 
w-typical subspace. For later use, we define the projec- 
tor onto this subspace as P£, and note that the random 
sampling theorem (Eq. ([1])) states that 

P(||2| - (n + s)eW| > (n + s)e) < 0(n + s)2-^ n+s ^ 2 .(6) 

Note that if we chose e and ui such that e < ui then the 
actual phase error pattern is included in w-typical 
subspace with exponentially close probability to 1. As 
we will explain the details in the Appendix, by averaging 
over the random hashing, POVM {Ms} 



-1/2 



-1/2 



(7) 



where P(\%p)) = |-0)(?/>|, we can identify any x € il m with 
probability exponentially close to 1 in (n + s), i.e., 



Er 



(< 



x\M 3 \x) 



(n+s) u +e log 



,<*)- 



7^1 



> 1 - 6(n + s)2 

, 2-( n + s )[- h ( e p ) )+S(p)+rn/(n+s)-e-Lj] 

(8) 

where En m represents the averaging over the random 
hashing, and S(p) = — Tr(/51og 2 p). By combining Eq. (J5J) 
with the failure probability of the random sampling for 
the phase error rate from Eq. ([6]) , the overall failure prob- 
ability pf a ii of the identification of the correct phase error 
pattern can be upper-bounded by 



Pfail 



< 1 - E, 



h m ([x\M 3 \xi) + 0(n + s)2-("+^ 



— (n+s) I u} +e lo; 



< 6(n + s) -2 

, 2- ( . n + s )[~ h ( e p > ) + S(p)+m/(n+s)-e-u] 

+ 0{ji + s)2- {n+s ^ . 



(9) 
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Thus, in order for the failure probability to be exponen- 
tially small in (n+s), we have to choose parameters such 
that 



elog 



1 - e 



(t) 




and 



(h{ef)-S(p) 



(10) 



(11) 



where 5 and S m are small positive numbers. Eq. (|10[) 
means that u) has to be larger than e (assuming < uj < 
1), which confirms our inference. With the above choice 
of the parameter sets, the fidelity F of the final state a 
with respect to the target X-basis eigenstate \t x ), i.e., 
{tx\&\tx) is expressed as 



F = 1 - Pfail 

> l-(n + s)6-2- (n+;i)l5 -2- ( " +s) ' 5 " 
- 0{n + s)2- {n+s ^ 2 , 



(12) 



and the key generation rate G in the limit of large n is 

G = (n + .s)[l - (ft(4*)) - S(/5))] - (a + d) . (13) 

As an example, we consider BB84 and we assume that 
the phase error rate and unprocessed bit error rates are 
the same and we use an ideal error correcting code. It 
follows that G is asymptotically given by 



G cx l-[h(em-S(p)] 



9 ) + <?(!- e «)) 



(14) 



with ep being the same as the bit error rate in the test 
bits. In this case, it can be seen that the bit error rate 
threshold is 12.4% with q — > 1/2. This value matches 
the rate provided by [H, Hj] . Intuitively, when q is close to 
1/2, Alice has to discriminate almost orthogonal states, 
and a negligibly small amount of privacy amplification is 
needed. 

Moreover, our analysis can be applied to six-state pro- 
tocol Q . In order to compare the bit error rate threshold 
given in [!, Q , we assume that Alice and Bob possess the 
fictitious qubits. In this case, we can employ the mutual 
information between the bit and phase errors to reduce 
the amount of hashing along X-basis [25j, |26[. Thus, the 
phase error rate on the code bit is dependent on whether 
there is a bit error or not, and we can apply our idea to 
the cases with and without the bit error separately. The 
resulting key generation rate G in the limit of large n and 
s is 



G = (n + s) jl- 
- [H(X) + d], 



H{Z\X)-Y J P{X = i)S{p % ) 



where H(X){= s) represents the Shannon entropy for 
the bit error pattern, H(Z\X) represents the conditional 
Shannon entropy of the phase error pattern given the 
bit error pattern, and p{X) is the probability that there 
is the bit error (X = 0) or not (X — 1). Moreover, 
Pi is the density matrix conditional on A = i, and it 
is obtained by replacing in p with the phase error 
rate probability conditional on the realization of X. By 
performing the optimization again in terms of the bit 
error rate threshold by varying q, we obtain the improved 
bit error rate threshold 14.1% when q ~ > 1/2. We note 
that this rate matches the one given by [1, H| . 



V. SUMMARY 

In summary, we have constructed a quantum circuit 
for the virtual protocol in the complementarity control 
to remove the encryption of the syndrome. We applied 
our circuit to the cases (i) Alice has a fictitious qubit, 
(ii) both Alice and Bob have fictitious qubits, and (iii) 
noisy processing. In noisy processing, our proof covers 
the case where only one party has a qubit, which is a 
generalization of the original proposal. 

In the analysis of noisy processing, we have to discrim- 
inate any state in a set with exponentially small failure 
probability, and a bit string is encoded in the state and 
the states are nonorthogonal each other. We have for- 
mally shown that PGM can solve this problem, which is 
a generalization of the original PGM idea in which some 
states in the set have to be discarded and the states are 
stemmed from an IID source. 
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Appendix A 

In this Appendix, we show that En m (^(x\Mg\x)^j is 

exponentially close to 1 in (n + s) for any x € fl m . In the 

analysis, we assumed that < ep < 1/2, and we used 
some techniques from [2(| ■ First, one can show that 



E 

xe.Q m 



x { p x\ x >i^en m — A ' 



(Al) 



where 1, 



is the identity operator of the space 
x)}xen m - This means that {M$} and 



(15) 



spanned by {P£ 
an additional positive operator that corresponds to the 
failure discrimination of a state on untypical subspace 
form a POVM on w-typical subspace. 
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Next, a direct calculation shows that 
En m (<a|Mif|3)) 



and its exponent is lower-bounded as 



(n + s)h 



W\ log 2 e ( p 



(t) 



E< 



-1/2 



?\pz E 



, x'en„ 



(n + s) 

+ (n + S -|x|)log 2 (l-eW) 

-m4°) 



= (n + s) 



(n + s) 



(A2) 

Let us regard «x|P A ") (E x ^a m P A w |£Xx|P A ")- 1/2 (P A "|o?)) 
as the (a;, x') component of the matrix T 1 / 2 , which is 
a real value, and by using y 2 > 2y — 1 for real y and 
r 1 / 2 > 3r/2 - T 2 /2 [H, we have 

(r^k,) 2 > 2^1^-1 

> ••il' ,,, I 2 ,,, 1. (A3) 

Moreover, by using 

IW = J2( Tl/2 ^-y( Tl/2 ^' = ^l p A 1*0, (A4) 

we have 

E Qm (<^Afe|£)) 

> 3<f|P A -|f> - Eo m (<z|P A w E |f><f|P A w |f)) -1. 

(A5) 

In order to evaluate (x\P£\x) we consider (x\(l — P A )|ar), 
which is upper-bounded as 

(f|(l-i^)|f) 

f B .t |C| = |X| 

E^4 4) ) |ir| (l - e«)(«+ s )-l-l(iJ|(l - Pjf)|^ 



+ -|f| 



log 2 



1 -e 



(*) 



< 



((„ +s) qx|)(e^)l s l(l-e^)(" +s )-l^ 



(A6) 

where the last summation is taken with respect to all 
(n + s)-bit string v, and 1 is the identity matrix of the 
space spanned by all \v). Since p®("+ s ) = £~(e£ ) )'"'(! - 
e (*))(n+»)-H|^^ holds, we have 

(£|(1-P A ")|£) 

Tr(p®( n+s )(U-P^)) 



< 



( ( „ +s) q £ |)(e^)l»l(l-eW) ( " +s) - |S| 



(t)> 



(A7) 



Note that 

((„ +s )q^|)(eW)^(l-e«)(" +s )-^ 

2 („ +s )fe( T -l|L T )+|S| log 2 e W + ( n + s -|5|)log 2 (l- e W) 



> 



(n + s) 



(A8) 



> (n + s)e 
= (n + s)elo, 



,(*) 



(t) 



,(*) 



On the other hand, from Eq. ([5]), we have 

Tr ^3®(™ +s )(l — P A )J < 2 1_ ( ,l+;s )" 2 , 

following that (xlP^la?) is lower-bounded by 
(x\PZ\x) 



(A9) 



(A10) 



l-(n+a)( w 2 + £ log, (t) -— ;ty 



> 1 - (n + a)2 



Next, we evaluate the second term of Eq. (|A5 



= s 0m I (s\Px E e n m (y)m(y\n 
V ^« 

= (o?|P A w E 2- m |y}(y|Pr|f) 

+ (i-2-™)i(f|pri y -)i 2 

< <z|P A " E 2-™|y)(y|Pr|x) + l, 



(All) 



(A12) 



where @n m (y) = 1 if y G f2 m , otherwise @n m (y) = 0. In 
the second equality, we used the fact that the bit string 
corresponding to the actual error pattern Xa € T~ a e 
is always selected as f2 m , and the probability that j/* 7^ 
Aa Ave T~™ „ is chosen as fi m is 2~ m . Observe that 

2 -(„ +5 )(h( e w )+£ ) ^ < p® (n+s) , (A13) 
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and 



Combining all together, we have the final expression as 



(x\PZp® (n+s) PZ\x) 

< ( Wtyp |^("+ s >K yp > 

< 2 -("+ s )[ s (p)- w ] 



(A14) 



where |wtyp) is a state on the w-typical subspace. Using 
them, we have 



£'&Q„ 



< 



2-(n+s)[-h(eW)+S(p)+m/(n+s)-e-ui] + { _ ( A15 ) 



(< 



En (x\MM 



— (n+s) I u: +e log 



> 1 - 6(n + s)2 

_|_ 2-(™+ s )[-' l ( e p ) )+S(p)+rn/(n+s)-e-w 



(sjt: „(*) 



(A16) 
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